In a nutshell

The totally revised FADP will enter into force on September 1, 2023 without a general transition period. However, Art. 69 states that some selected articles are not applicable to certain data processing operations. The standard stipulates that this only applies, however, if these data processing operations began before the entry into force of the totally revised FADP and neither the purpose of the processing was changed nor new data was obtained after its entry into force. In this sense, the article excludes the preventive measures of Art. 7, 22 and 23 in certain cases. In this way, the legislator wanted to avoid the possibility that data controllers could be held liable after the fact, thereby incurring additional effort and costs.

I. General

A. Overview

1The totally revised FADP does not contain any transition periods that would have to be taken into account by data controllers or other data subjects. In this respect, it applies in principle as of September 1, 2023. However, in the 10th chapter, the final provisions, there are some relevant transitional provisions. These are specifically contained in Art. 69 to 72. The present Art. 69 specifically provides that Art. 7, 22 and 23 are not applicable to data processing in certain cases. This applies to those processing operations that were started before the revised FADP entered into force on September 1, 2023, and whose processing purpose was neither changed nor new data added to the data processing process after the entry into force.

B. History of origins

2When the totally revised FADP enters into force on September 1, 2023, the standards will apply throughout Switzerland and will thus be applicable, provided that Articles 2 and 3 para. 1 are fulfilled. However, as is common in other laws, there are exceptions to this principle or at least transitional provisions which are intended to simplify the transition between the old and new catalog of standards. The latter was provided for in an Art. 64 FADP. This provided for three exceptions, namely a retroactive effect of the data subjects' right to information in the case of already completed data processing (para. 1), a transitional period for the adaptation of continuing data processing (para. 2) and the non-applicability of certain provisions in the case of unchanged continuing data processing (para. 3). In paragraph 4, the principle of application of the provisions upon entry into force was established. Finally, however, all paragraphs were deleted - except for the aforementioned paragraph 3, which is now found in the present Art. 69.

C. Purpose of the Norm

3Art. 69 ensures that a retroactive application of Art. 7, 22 and 23 is prevented if specific conditions are met. In this way, the legislator facilitates the transition between the existing and the totally revised FADP and saves the responsible parties additional effort and costs. In addition, the article ensures that no obligations are subsequently imposed on data controllers. A retroactive effect of the law, which may be problematic in individual cases, is thus avoided. At the same time, the significance of this article is limited, especially since the FADP generally does not provide for any relevant transition periods.

II. Content

A. Requirements

4In terms of content, Art. 69 refers to Art. 7, 22 and 23. While Art. 7 enshrines the principles of privacy by design (data protection by design) and privacy by default (data protection by default) (see in detail the OC Clause on Art. 7 FADP), Art. 22 and 23 refer to the data protection impact assessment (DSFA) (see OC Harasgama/Haux on Art. 22 FADP). Art. 22 sets out the basis for conducting the DIA and 23 sets out some requirements for consulting the FDPIC if a DIA reveals that there is a high risk to the personality or fundamental rights of the data subject despite risk mitigating measures taken.

5These obligations must in principle be taken into account prior to the respective processing of the data and are not to be imposed retroactively on the data controller by means of this transitional provision. In terms of this prohibition of retroactivity, the norm requires that the data processing has begun before the effective date. It must therefore have started before September 1, 2023 and must neither have been planned (as defined in Art. 7 para. 1 FADP) nor already completed. While the distinction between the mere planning and the actual implementation of data processing can be determined in individual cases, the question arises as to how implementation is to be distinguished from the termination of data processing. It must be taken into account here that termination can only be assumed when the purpose of the processing has been achieved. The situation in which the purpose is de facto no longer achievable is equated.

6As a second prerequisite, the previously defined processing purpose must continue unchanged. This means that the purpose was sufficiently determined and specified at the beginning of the data processing and continues to exist unchanged at the time of the entry into force of the totally revised FADP (cf. in detail the commentary on Art. 6 para. 3 FADP on the determination of the processing purpose). In this context, the question arises as to what applies if only some processing purposes are continued, but others are abandoned. This would be the case if, for example, a database with patient data from clinical trials is initially processed for further clinical trials in the same field of research (purpose 1) and for the training of a prognosis tool based on artificial intelligence (AI) (purpose 2), and after the entry into force of the totally revised FADP, data processing only takes place for clinical trials, i.e. for purpose 1. The assumption that this is covered by the wording of Art. 69 is supported by the fact that in any case there is no expansion of the processing purposes. Rather, the existing ones are pursued further - albeit in a reduced form.

7Thirdly, the data stock of the data processing in question must continue to exist unchanged. According to the wording of the law, therefore, "no new data may have been obtained". The process of "obtaining" is "an active, targeted and deliberate act of collecting the personal data in question". The decisive factor is the targeted, active act. Passively obtaining data, on the other hand, is not included. Other authors come to a similar conclusion by focusing on the planned nature of the act.

8 However, it is unclear how the phrase "no new data" should be interpreted. A narrow interpretation would lead to the fact that for a constant data processing process with fixed data categories, the transitional provision would not apply insofar as additional data (points) about additional persons are obtained with constant data categories. This would be the case regardless of how these additional data (points) affect the processing process or purpose. This assessment could be justified by the fact that the data set or the scope of the existing data would be changed or increased. As an example, consider an AI-based HR tool at a company that processes additional data (points) from new applicants or employees after September 1, 2023. The data stock or the scope of this stock would thus be changed or increased, so that if the other requirements of Art. 69 are met, a data protection impact assessment would have to be carried out again according to this narrow interpretation. While the message certainly suggests such an interpretation, such a narrow interpretation does not correspond to the sense and purpose of the provision. In fact, this would mean that all continuing data processing operations in which it is possible that data on additional individuals will be obtained after September 1, 2023, would not be covered by the provision. The scope of application of Art. 69 would thus be negligibly narrow. This narrow interpretation is not followed in the present case. Against this background, two possible interpretations are possible: (1) Art. 69 only applies if new data categories are procured, but not in the case of a mere change or expansion of the scope of the same data categories or data points. This would be the case, for example, if an online form provided for a sweepstakes after September 1, 2023, no longer collects only name, contact information and answer to the sweepstakes question, but asks for more extensive information about interests and hobbies. Or: (2) Art. 69 is not applicable to any data processing operations if - according to the Message, narrowly interpreted - the data stock or the data volume per se is increased or changed, even though the categories of data procured remain unchanged and a resulting change in the processing purpose or the process cannot be ruled out.

9 There is also discussion as to whether data that has already been procured in advance, but is subsequently added, precludes the applicability of Art. 69 FADP. Based on the wording, some authors argue that the processing of these data falls under the exception, at least if they were obtained for the same purpose. However, this is contradicted by the fact that the environment of data processing is so deeply affected by technological innovations that the exception of Art. 69 FADP should only apply under narrow conditions and should therefore be interpreted restrictively. If new data is added to the data stock, the data stock can hardly be described as "unchanged", i.e. as remaining the same, if this data has already been obtained in the context of another data processing purpose. Whether this question will gain in importance and contour in practical application, however, seems questionable, especially since overall the practical relevance of this standard can be assumed to be rather low. This is especially true since the principle of Art. 7 was already partially established before the entry into force of Art. 4 and 7 of the aDSG, and data controllers were also partially obligated to do so due to the DSGVO. The same applies to Art. 22 and 23 (see in detail the commentary by Harasgama/Haux on Art. 22 FADP).

B. Challenges

10With the entry into force of the totally revised FADP, data controllers face numerous challenges. Although the wording of Article 69 of the FADP is brief and may be lost sight of, it should be given the necessary attention in this context. While data processing that was in progress before the entry into force and meets the other requirements is unquestionably covered by the exemption, legal advice must always be sought on detailed questions and on the application of new technologies in data processing processes that were already planned and/or tested before the entry into force of the totally revised FADP. In this case, it is important to determine precisely whether the data stock or processing purpose has actually remained unchanged or whether changes have been made or must be made. If this is the case, it must be assumed in case of doubt that the standard is not applicable.

Bibliography

Dauag Apollo, Kommentierung zu Art. 69 DSG, in: Baeriswyl Bruno/Pärli Kurt/Blonski Dominika (Hrsg.), Stämpflis Handkommentar zum DSG, 2. Aufl., Zürich/Basel, 2023.

Rosenthal David, Das neue Datenschutzgesetz, Jusletter, 16. November 2020.

Rosenthal David/Jöhri Yvonne, Handkommentar zum Datenschutzgesetz sowie weiteren, ausgewählten Bestimmungen, Zürich 2008 (zit. HK-DSG).

Materials

Botschaft vom 15. September 2017 zum Bundesgesetz über die Totalrevision des Bundesgesetzes über den Datenschutz und die Änderung weiterer Erlasse zum Datenschutz, BBl 2017 S. 6941 ff., abrufbar unter: https://fedlex.data.admin.ch/eli/fga/2017/2057, besucht am 5.6.2023.